RSEC-2025-1

See a problem?

Import Source

https://github.com/RConsortium/r-advisory-database/blob/main/vulns/plotly/RSEC-2025-1.yaml

JSON Data

https://api.osv.dev/v1/vulns/RSEC-2025-1

Upstream

CVE-2023-46308

Published

2025-12-23T15:00:00Z

Modified

2025-12-26T23:08:35.858759Z

Summary

Risk of __proto__ pollution Vulnerability

Details

The plotly R package up through the latest 4.11.0 includes plotly.js library 2.11.1. Plotly.js releases prior to version 2.25.2 have a risk of proto being polluted in expandObjectPaths or nestedProperty.

References

https://github.com/plotly/plotly.R/issues/2463
https://nvd.nist.gov/vuln/detail/CVE-2023-46308

Affected packages

CRAN / plotly

Package

Name: plotly
Purl: pkg:cran/plotly

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.2

Affected versions

2.*

2.0.2

2.0.3

2.0.16

3.*

3.4.1

3.4.13

3.6.0

4.*

4.5.2

4.5.6

4.6.0

4.7.0

4.7.1

4.8.0

4.9.0

4.9.1

4.9.2

4.9.2.1

4.9.2.2

4.9.3

4.9.4

4.9.4.1

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.11.0

Database specific

source

"https://github.com/RConsortium/r-advisory-database/blob/main/vulns/plotly/RSEC-2025-1.yaml"